A practicing CISO's perspective on managing information security in large enterprises.

Tuesday, December 30, 2008

38 million laptops and counting

Eweek reported the other day that for the first time laptops sales have outpaced computer sales. Good news for laptop manufacturers, chiropractors, and people who steal laptops. After all, it's just not as easy to walk past the receptionist balancing a desktop on your shoulder.

More stolen laptops also means more of those pesky letters telling you that someone, somewhere might have your personal data. Data breach notification laws in 44 states now require victims of data breaches to be notified when their data has been breached. Lost or stolen laptops account for a large number of these.

There is no real evidence that these laws work to reduce identity theft (click here for a good paper from the WEIS 2008 conference) . But one thing's for sure - data breach laws are one of the leading drivers for companies to hire CISOs to keep them out of the newspapers. This is especially true in loosely regulated industries where companies would otherwise see little reason to bring a CISO on board. In the UK (which does not have a private sector data breach notification law but where government entities are required to report loss) the spate of lost laptops, memory sticks, and CDs with sensitive data has become a major political issue.

All this attention motivates some companies to focus on avoiding a public breach versus actually securing their environment. This is a fundamental difference, since most data breaches cannot be traced back to their source. If someone just took out a loan using your name and social security number, you have very little way to know how they got that information. This is the reason that lost laptops have been such a major trigger for breach notifications. A lost laptop is an obvious incontrovertible loss of data. Unlike a suspicious event in an Apache log, laptop theft is harder to sweep under the rug or not report.

Data breach notification laws almost universally exempt encrypted data, leading many organizations to mandate laptop encryption. Is all the money, time, and effort spent on encrypting laptops worth it? Are we spending valuable resources encrypting laptops when our efforts should be directed elsewhere? The data on a lost laptop is accessible to a very small number of people who in all likelihood have no interest in it. On the other hand, the database behind a poorly secured web application is accessible to the entire world. The organizational capital that a CISO expends on forcing laptop encryption is coming from somewhere else. But from a business risk perspective encrypting laptops makes sense because the cost of not encrypting (and then having to notify if a laptop is lost) is too high.

And let's give breach notification laws their due. There is a fundamental fairness about breach notification laws - when your data is somehow lost, you get to hear about it. Sunshine is the best disinfectant, and they force companies to 'fess up when they have messed up. The problem with the laws is that they are still open to an enormous amount of interpretation. The press has focussed on lost laptops while ignoring much bigger risks. When someone is on vacation and accesses a sensitive company web application from a kiosk computer in the hotel lobby, you could argue that a greater data breach has occurred than having a laptop lost on a train. The lost laptop will almost certainly be reimaged or picked up by someone who will never access the data. The hotel computer on the other hand is riddled with spyware and is an obvious target for cybercriminals. And yet the lost laptop triggers a potential data breach notification, while the hotel incident does not.

The laws are starting to catch up to this reality. A new Massachusetts law goes further than most in requiring comprehensive security policies. These new regulations should be relatively painless for organizations that have an overall security narrative in place and have dedicated sufficient resources to securing their environment. Other may belately discover that just encrypting all those newly purchased laptops is not enough.